Thursday, April 30, 2015

Lessons from CSI:Cyber

Unrealistic scenarios aside, CSI: cyber is doing some good by bringing attention to real issues (albeit in far-fetched ways), and perhaps inspiring future digital forensic analysts.
The CSI: franchise has been a very successful television endeavor, combining entertainment with a view into how forensic science is used to identify and prosecute criminals. Needless to say, creative liberty is taken to fit a story into a 42 minute episode, but it never pretended to be instructional. It's TV, not a college class. I have no training in pathology or chemical analysis, and only a basic background in the physics of force and motion, but I've been involved in cyber technologies since before "cyber" was a household term.

There has been considerable complaint from my industry over the way CSI: Cyber sensationalizes real events, and invents wholly unrealistic threats, for the sake of entertainment. I get it - I really do. The daily grind of a real cyber expert is not nearly as exciting as an action-packed TV episode. Hours of digging through logs or interpreting a pcap (a record of network traffic) wouldn't make for very exciting television. As researcher/hacker Charlie Miller recently said on Twitter, real hacking doesn't happen in the span of a 42-minute made-for-TV episode. It is the result of days, weeks, or even years of research, learning, and poking at a topic.

Car hacking doesn't happen over a drunken weekend.

That said, I differ from many of my peers. Unrealistic scenarios aside, I think the show is doing some good, by bringing attention to real issues (albeit in far-fetched ways), and perhaps inspiring future digital forensic analysts. The April 29 episode in particular shone a light on some real concerns. In fact, as the show began I had to wonder if a producer had rescheduled this particular episode to capitalize on a topic that has been in the media over the last two weeks. The first few minutes were straight from the headlines.

On April 15, the US Government Accountability Office issued a report that suggested in-flight Wi-Fi systems on modern commercial aircraft could offer a hacker access to critical systems controlling the passenger cabin as well as flight avionics. Later that same day, a researcher that has spent years investigating the security design of aircraft posted an ill-advised (though completely tongue in cheek) comment while flying. The airline, and the FBI, were not amused, and met him at the gate when the flight landed. He had not actually done anything so was released a few hours later (minus all the electronics he had on the plane), but the FBI and TSA later issued a public alert warning passengers to be on the lookout for anyone attempting to hack an airplane. So we have a TV episode beginning with a denial of service attack against in-flight Wi-Fi:

Plausibility: straight from the headlines, although I don't see the real-life FAA grounding 9 jets just because their in-flight passenger Wi-Fi has been disabled.

Shall we play with the onboard control systems, while flying in said airplane?

As the episode unfolds, we learn that the Wi-Fi was disabled by a phone sending out a flood of wireless traffic. The phone had been infected with malware when its owner plugged into a USB power port at the airport. Juice Jacking is a very real scenario, and one I have discussed on this blog before. The USB cables used to charge mobile devices are also capable of transferring data and programs, both legitimately and maliciously. I carry a special power-only cable (readily available for $5 or $10 from Amazon, or most stores with a well-stocked electronics department). This cable is missing the physical wires used for transferring data, so it can only be used to deliver power. If I must charge from someone else's USB port, I will always use this cable - but it's just as easy to carry an A/C adapter myself. No one has (yet) invented a way to deliver malware through a 120 volt AC outlet.

CSI: Cyber oversimplifies the risk though: there are several mobile operating systems (iOS, Android, and to a limited extent, Windows), each with a myriad variations. Many devices (at least ones with newer operating systems) will give the owner an alert if a USB-attached computer tries to upload or download anything. While is is certainly possible that an OS vulnerability could bypass this alert, it's a bit far fetched to think a malicious USB charging station is going to have exploits for every possible device OS that it might encounter.

Plausibility: absolutely possible, though not as easy as the show makes it seem.

Why go to the effort of infecting mobile devices and crashing the in-flight Wi-Fi? As it turns out, the mastermind behind this made-up event has a variety of things in mind, all of which begin with data stored on passenger phones. A senator with private government documents on her phone (or at least that's the line she gives). A woman with photos she doesn't want her fiance to see. Other secrets that the hacker can use for blackmail. Real-world ransomware tends to come in two forms: CryptoLocker, TeslaCrypt, and related forms encrypt (scramble) the data on a device, and then sell you the key to recover the data. If you don't pay, the data is gone forever. A second approach is so-called "police warning" malware, in which the malware claims to have found evidence of criminal activity that will be reported to the authorities if you do not pay a fee. CSI: Cyber envisioned an attack that blended the latter with a variation of "sextortion," in which the attacker either steals or convinces the target to give up compromising photographs, and then threatens to make them public unless the victim pays a blackmail fee.

Plausibility? Unfortunately, very real, as last year's lesson with Snapchat so starkly showed.

Ransom was not the only goal of the attacker in this episode though. In addition to sensitive documents and photographs, the attacker managed to steal credit card numbers. From every passenger. And charged each card to its limit while the cardholder was airborne, with no way to receive any potential fraud alerts from the bank.

I don't know about you, but my credit card numbers are not stored on my phone (though with Apple Pay and related mobile payment services gaining in popularity, that might be changing). Even if they were, it's a stretch to think a coordinated attack could steal hundreds of cards, and use them immediately for profit. The more typical approach with stolen card numbers is to market them through an underground carder shop, the world that Brian Krebs so intimately knows.

Plausibility: nah.

As all the pieces fall together, "elite hacker" Daniel Krumitz visually looks through the malware recovered from infected phones, and sees a "signature" that matches what he has seen before. This signature reveals the identity of the criminal behind the events. Through a combination of video surveillance and luck, the task force locates and apprehends her before the end of the show.

In reality, attribution and prosecution are very difficult. If we discover an incident, we are pretty good at working out what the attacker did, and how they did it. Actually identifying who it was though is often difficult. Even if the culprit can be accurately identified, they may well reside in a country with different laws, or one willing to look the other way if a crime happens outside their national borders. Attribution is something of a joke in the security industry, to the point that there are "Attribution 8 Ball" Twitter bots and conference giveaways.

Plausibility: are you kidding?

All in all, we have a few very real cyber threats portrayed in a rather far-fetched coordinated attack, with the mastermind located and arrested in a matter of hours. All good fun, right? Let the flaming begin...